• RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN A vulnerability inGitHub Codespacescould have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. • The artificial intelligence (AI)-driven vulnerability has been codenamedRoguePilotby Orca Security. • It has since been patched by Microsoft following responsible disclosure. • “Attackers can craft hidden instructions inside a GitHub issue that are automatically processed by GitHub Copilot, giving them silent control of the in-codespaces AI agent,” security researcher Roi Nisimisaidin a report. • The vulnerability has been described as a case of passive or indirect prompt injection where a malicious instruction is embedded within data or content that’s processed by the large language model (LLM), causing it to produce unintended outputs or carry out arbitrary actions. • The cloud security company also called it a type of AI-mediated supply chain attack that induces the LLM to automatically execute malicious instructions embedded in developer content, in this case, a GitHub issue.

Article Summaries:

  • A vulnerability dubbed RoguePilot was discovered in GitHub Codespaces that allowed attackers to inject hidden Copilot instructions into a GitHub issue. When a user opened a Codespace from that issue, the built‑in Copilot automatically processed the issue’s description as a prompt, enabling the malicious code to silently execute commands and exfiltrate the repository’s privileged GITHUB_TOKEN to an external server. Orca Security identified the flaw, and Microsoft patched it after responsible disclosure. The incident highlights the risk of prompt‑injection attacks in AI‑assisted development workflows and underscores the need for tighter safeguards around LLM integrations.

Sources: